Skip to content

Guarantee that it is sound to observe the bytes of None::<P> where P is a pointer type subject to NPO #117591

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
joshlf opened this issue Nov 4, 2023 · 4 comments · Fixed by #137323 · May be fixed by joshlf/rust#1
Closed

Guarantee that it is sound to observe the bytes of None::<P> where P is a pointer type subject to NPO #117591

joshlf opened this issue Nov 4, 2023 · 4 comments · Fixed by #137323 · May be fixed by joshlf/rust#1
Labels
A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools T-lang Relevant to the language team T-opsem Relevant to the opsem team

Comments

@joshlf
Copy link
Contributor

joshlf commented Nov 4, 2023
edited
Loading

In #115333, we added a guarantee that transmuting from [0u8; N] to Option<P> is sound where P is a pointer type subject to the null pointer optimization (NPO). It would be useful to be able to guarantee the inverse - that if all of the bytes of P are initialized, then all of the bytes of None::<P> (and thus all of the bytes of any Option<P>) are initialized. For example, this would allow zerocopy to support safe transmutation from Option<P> to [u8; N] (google/zerocopy#596).

I'm opening this issue first rather than a PR so there's an opportunity to discuss whether this is something we want, how it would be best to document it, etc.
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Nov 4, 2023
This was referenced Nov 4, 2023
Open
Merged
@saethlin saethlin added A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools T-opsem Relevant to the opsem team T-lang Relevant to the language team and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Nov 4, 2023
@RalfJung
Copy link
Member

RalfJung commented Feb 20, 2025
edited
Loading

Cc @rust-lang/opsem

For thin pointer this seems perfectly fine, I am just not sure where to best document it.

I think for wide pointers, this is actually not true today (and seems unlikely to ever be true) -- the discriminant will be stored in one of the two "fields" of the pointer, which means that for None the other field is padding.

This was referenced Feb 20, 2025
Open
Merged
@joshlf
Copy link
Contributor Author

joshlf commented Feb 20, 2025

Sounds good. Put up a PR to guarantee this for thin pointers: #137323

@RalfJung
Copy link
Member

RalfJung commented Feb 21, 2025
edited
Loading

In #115333, we added a guarantee that transmuting from [u8; N] to Option<P> is sound where P is a pointer type subject to the null pointer optimization (NPO).

No that's not what that PR did? It just talks specifically about transmuting [0u8; N], not arbitrary arrays of that type.

And similarly, looking at what you did in the new PR, it doesn't seem to match the issue description. The PR only guarantees that None::<P> can be transmuted to a u8 array and will yield a bunch of 0u8; it doesn't talk about e.g. transmuting Some(Box::new(i32)). That would be a ptr-to-int transmute so it is anyway tangled up in rust-lang/unsafe-code-guidelines#547.

@joshlf
Copy link
Contributor Author

joshlf commented Mar 5, 2025

In #115333, we added a guarantee that transmuting from [u8; N] to Option<P> is sound where P is a pointer type subject to the null pointer optimization (NPO).

No that's not what that PR did? It just talks specifically about transmuting [0u8; N], not arbitrary arrays of that type.

Good point; updated the issue text.

And similarly, looking at what you did in the new PR, it doesn't seem to match the issue description. The PR only guarantees that None::<P> can be transmuted to a u8 array and will yield a bunch of 0u8; it doesn't talk about e.g. transmuting Some(Box::new(i32)). That would be a ptr-to-int transmute so it is anyway tangled up in rust-lang/unsafe-code-guidelines#547.

Yeah, I realized the ptr-to-int issue and decided to stick with the more limited (and hopefully less controversial) None case.

@bors bors closed this as completed in 334d7bd May 24, 2025
rust-timer added a commit that referenced this issue May 24, 2025
@rust-timer
Unrolled build for #137323
3466762 
Rollup merge of #137323 - joshlf:transmute-npo, r=RalfJung

Guarantee behavior of transmuting `Option::<T>::None` subject to NPO

In #115333, we added a guarantee that transmuting from `[0u8; N]` to `Option<P>` is sound where `P` is a pointer type subject to the null pointer optimization (NPO). It would be useful to be able to guarantee the inverse - that a `None::<P>` value can be transmutes to an array and that will yield `[0u8; N]`.

Closes #117591
github-actions bot pushed a commit to model-checking/verify-rust-std that referenced this issue May 26, 2025
@matthiaskrgr
Rollup merge of rust-lang#137323 - joshlf:transmute-npo, r=RalfJung
e4f7384 
Guarantee behavior of transmuting `Option::<T>::None` subject to NPO

In rust-lang#115333, we added a guarantee that transmuting from `[0u8; N]` to `Option<P>` is sound where `P` is a pointer type subject to the null pointer optimization (NPO). It would be useful to be able to guarantee the inverse - that a `None::<P>` value can be transmutes to an array and that will yield `[0u8; N]`.

Closes rust-lang#117591
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools T-lang Relevant to the language team T-opsem Relevant to the opsem team
Projects
None yet
Milestone
No milestone
4 participants
@RalfJung @joshlf @saethlin @rustbot